Basic National Regime
Türkiye lacks a dedicated legal framework specifically regulating data privacy for cloud computing. Instead, the legal structure is fragmented, with various regulations imposing specific conditions and restrictions.
The most pertinent legal instruments are as follows.
The Constitution of the Turkish Republic
The Constitution of the Turkish Republic (the “Constitution”) does not explicitly address privacy issues in relation to cloud computing. However, cloud computing frequently involves processing personal data, making Article 20(3) of the Constitution, which protects the right to data privacy ‒ though it provides no definition for personal data ‒ applicable. Under Article 20(3), individuals have the right to:
The Article also stipulates that personal data may only be processed if authorised by law or with the explicit consent of the data subject. Additionally, it mandates that the procedures and principles for processing personal data must be defined by law.
The Turkish Data Protection Law
The Turkish Data Protection Law No 6698 (the “DP Law”) was enacted to specifically regulate the procedures and principles governing the processing of personal data in Türkiye.
The DP Law defines personal data as any information related to an identified or identifiable natural person, making its scope inherently broad. However, the DP Law provides an exhaustive list of special categories of personal data (ie, sensitive data), which includes information concerning an individual’s:
The DP Law defines the processing of personal data as any operation carried out wholly or partially by automated means or by non-automated means, provided it forms part of a data filing system. This encompasses activities such as collecting, recording, storing, protecting, transferring, retrieving and categorising personal data, all of which are relevant to cloud computing.
The DP Law establishes a framework for controllers and processors, outlining the general obligations and principles related to personal data processing. The Personal Data Protection Authority (DPA), Türkiye’s supervisory and regulatory body, further shapes data-processing practices by issuing secondary legislation, guidelines and resolutions.
While the DP Law does not set specific requirements for processing personal data in a cloud environment beyond the general obligations of controllers and processors, the DPA provides additional measures in its guidelines and resolutions (see 2.1 Data Security and the Cloud).
The Turkish Civil Code
Under Turkish law, personal data is considered an aspect of an individual’s personality and is thus protected under the Turkish Civil Code (TCiC). This protection extends to personal data processed in the context of cloud computing.
The Turkish Criminal Code
The Turkish Criminal Code (TCrC) criminalises certain actions that violate personal data protection and prescribes penalties for these offences (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).
The TCrC also imposes penalties for disclosing commercial, banking or customer secrets obtained through one’s title, duty, occupation or profession to unauthorised individuals, which may include transferring such data to cloud systems.
The Law on Banking
Under the Law on Banking (the “Banking Law”), in addition to actors such as those defined in the Law, including banks and financial institutions, those who learn the confidential information of banks and their customers due to their title and duties, as well as third parties, are subject to confidentiality obligations. In this context, they are prohibited from disclosing such information to anyone other than authorised authorities. This obligation may extend to both transfers to cloud systems and the transfers of this data between cloud systems or to another environment.
The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions
The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions (the “Payment Systems Law”) provides a similar confidentiality provision. Accordingly, confidentiality obligations are imposed on those providing support services to the actors defined in the Law (system operators, payment institutions and electronic money institutions) and third parties, prohibiting them from disclosing this information to anyone other than authorised authorities.
The Law on Electronic Communication
The Law on Electronic Communication bans the transfer of traffic and location data abroad unless the data subject’s explicit consent is obtained. This means such data must be stored in local cloud systems in Türkiye if explicit consent is not duly obtained.
The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications
The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications aims to regulate the obligations of content providers, hosting providers, internet service providers, social network providers and access providers to combat crimes committed via the internet. In this sense, cloud computing providers must also comply with obligations such as notifying the Information and Communication Technologies Authority (ICTA) before providing cloud computing services.
Sector-specific regulations
Various sector-specific regulations also impose specific requirements on cloud users and providers. Some of these regulations enforce strict data localisation requirements, including provisions related to personal data stored in cloud environments (see 2.1 Data Security and the Cloud and 6.2 Data Localisation).
The key sector-specific regulations are as follows:
The DP Law, along with the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad, are the primary regulations establishing the rules for cross-border transfers of personal data.
The By-Law defines data transfer abroad as the transmission of personal data by a controller or processor, within the scope of the DP Law, to a controller or processor outside Türkiye or making the data accessible to them by any other means. Therefore, both transmitting personal data to a cloud system and making it accessible from abroad constitute a transfer of personal data abroad. Consequently, the general rules outlined in the DP Law apply to such transfers (see 6.1 Cross-Border Transfer Regulation).
While no specific data privacy regulations for cloud environments impose penalties for non-compliance, the general penalties established in the DP Law and the sanctions outlined in the TCrC apply when processing activities in the cloud involve handling personal data.
The DP Law outlines five categories of violations, with administrative fines for these violations adjusted annually. The following categories are particularly relevant for cloud systems, along with their amounts as of 2024:
It is important to note that the right to seek compensation is explicitly stated as one of the rights of data subjects under the DP Law. Furthermore, data subjects can pursue compensation and request that courts prevent a threatened infringement, halt an existing infringement, and declare an infringement unlawful under the TCiC.
Criminal sanctions for actions that violate personal data protection are regulated under the TCrC. Unlawful recording, transfer, publication or acquisition of personal data and failing to destroy personal data after the legally mandated retention period may lead to imprisonment ranging from one to six years. Public prosecutors can initiate investigations ex officio without requiring a formal complaint.
Furthermore, in cases where data transfers to or from cloud systems involve the disclosure of commercial, banking or customer secrets to unauthorised third parties, this may lead to imprisonment of one to three years and judicial fines upon complaint.
The Banking Law and Payment Systems Law also impose similar penalties of imprisonment for one to three years and judicial fines for failing to comply with confidentiality obligations.
Moreover, certain supervisory authorities, such as ICTA for the information and communication sector and the Banking Regulation and Supervision Agency (BRSA) for the banking and financial sector, are empowered to oversee compliance with sector-specific legislation. This may include specific obligations for cloud users and service providers, along with the authority to impose fines for non-compliance.
Technical and Administrative Measures
The DPA’s guidelines and resolutions elaborate technical and administrative measures for controllers processing personal data. For instance, according to the Personal Data Protection Guideline on Technical and Administrative Measures (the “Technical and Administrative Measures Guideline”) and the Guideline on Erasure, Destruction or Anonymization of Personal Data published by the DPA, controllers are subject to certain requirements that extend to evaluating the security measures taken by cloud service providers.
Security measures for storing data in the cloud
Key measures applicable to cloud computing, among others, as outlined in the Technical and Administrative Measures Guideline, include:
Several sector-specific measures, such as maintaining an information asset inventory and establishing an information security management system, as mandated by the By-Law on Banks and Electronic Banking Services, are essential to consider.
Security measures for managing access controls and preventing unauthorised access
Robust security measures are essential for preventing unauthorised access and data breaches, especially in cloud systems. Therefore, it is crucial for controllers to implement specific measures for managing access controls.
For instance, the Technical and Administrative Measures Guideline advises restricting access to environments where personal data is processed, limiting it to authorised individuals using usernames and passwords. Passwords should be complex, renewed periodically and strengthened with additional authentication methods like two-factor or multi-factor authentication. In market practice, this is often reinforced by a triggering mechanism that sends a notification message to authorised individuals, informing them of access to the system.
To enhance security further, the number of password entry attempts should be limited to defend against common cyber-attacks, such as brute force attacks, where an unauthorised user systematically tries different combinations to gain access.
Administrator accounts and privileges should be enabled only when necessary, and accounts for former employees should be promptly deleted or disabled. Controllers are advised to develop an access authorisation and control matrix and establish separate access policies and procedures to implement these within the organisation.
To mitigate cybersecurity vulnerabilities, continuous recording and monitoring of access to cloud systems are crucial. Additional measures to detect and track potential security breaches, such as regular audits, penetration tests, and deploying incident response protocols and breach notification alerts, are essential for enabling the organisation to respond promptly and effectively to security incidents.
Specific measures for special categories of personal data
In 2018, the DPA issued a resolution requiring controllers to implement additional technical and organisational measures to ensure adequate protection when processing special categories of personal data.
For example, controllers must establish a specific policy dedicated to the security of these special categories of personal data. The resolution emphasises the need for additional measures concerning employees involved in processing such data, as well as for the retention, access and transfer of this data.
While the DPA does not specify any particular standards or algorithms for the encryption of personal data in cloud systems, transferring special categories of personal data requires a VPN (virtual private network) or an sFTP (secure file transfer protocol) connection. For non-special categories of personal data, encryption standards are primarily guided by international best practices, such as AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) for data at rest, and TLS (Transport Layer Security) and HTTPS (Hypertext Transfer Protocol Secure) for data in transit.
Furthermore, the DPA provides specific guidelines for handling certain types of special categories of personal data, such as the Guidelines on Issues to be Considered in the Processing of Genetic Data, which states that genetic data should, in principle, not be stored in the cloud. Per the Guidelines, if storage in the cloud is necessary, additional measures such as maintaining a detailed record of the data, keeping backups outside the cloud and using two-factor authentication for access should be considered. Moreover, industry standards and best practices should be followed for cryptographic algorithms, and access to cryptographic keys must be restricted to personnel with the appropriate clearance (crypto security certification).
Security Accidents and Breaches
According to the DPA’s decisions, controllers must establish procedures for responding to data breaches. These procedures typically include internal policies to assess whether a security incident qualifies as a data breach and outline the steps for notifying the DPA and affected data subjects.
Controllers must report all data breaches to the DPA, regardless of the risk level to individuals’ rights and freedoms. Notifications must be made within 72 hours of the controller becoming aware of the incident, and affected data subjects should be informed as soon as possible (see 5.3 Notifying Data Breaches).
Additionally, controllers must take immediate action to prevent or mitigate potential harm from data breaches by assessing the scope and nature of the breach. In the context of cloud computing, these measures may involve isolating affected systems to minimise damage, implementing recovery actions to restore normal operations and conducting a post-incident review for future improvement.
Data Ownership and Control in Cloud Agreements
The legal rights and control over data stored or processed in cloud systems, including all information derived from such data, is a complex issue that currently lacks specific regulations.
There are basically two main types of data: (i) data uploaded by cloud users and (ii) data created by the cloud platform. The latter raises questions about who owns the data and how intellectual property rights apply.
Thus, contractual clauses are essential for determining ownership and control over data upfront in writing as well as the conditions for data migration conditions in case of termination of the contractual relationship. By clearly outlining these aspects in the agreement, potential disputes can be mitigated, ensuring both parties understand their rights and responsibilities regarding the data.
In market practice, data ownership and control are primarily defined in cloud agreements, which generally lie with the cloud user, as this party typically collects the data and determines the purposes and means of processing. For instance, major cloud providers such as Microsoft Azure, Google Cloud and AWS typically position themselves as processors, stating that cloud users are the owners and controllers of the data in their cloud agreements.
From the DP Law perspective, the DPA appears to adopt a similar stance by categorising cloud providers as processors without clarifying its position on data ownership, as this falls outside its scope and is primarily a civil law issue. For example, in its Guidelines on Recommendations for Protecting Privacy in Mobile Applications, the DPA notes that personal data collected from mobile applications is often stored in the cloud, and when the application developer utilises cloud services, they may function as processors.
Data Subject’s Rights
Data subjects’ rights regarding their personal data, as specified under Article 11 of the DP Law, are as follows:
These rights are also applicable to the personal data in the cloud system.
Exercising the Right to Access, Rectify and Delete
Data subjects can exercise their rights by submitting a request to the controller or its representative. However, controllers may engage their processors to handle these requests, allowing data subjects to submit their requests directly to the processor. This internal division of responsibilities is typically governed by the data processing agreement (the “DP Agreements”) between the parties; however, it does not diminish the controller’s accountability to the DPA or the data subjects.
Controllers must respond to data subjects’ requests within 30 days of receipt, either by fulfilling the requests or providing justifications for any objections. In cases where controllers fulfil these requests, such as rectifying or deleting personal data in a cloud environment, they must co-ordinate with the cloud provider acting as the processor, and the cloud provider should collaborate with the controller to implement such requests. While this collaboration does not create administrative responsibility for the processor before the DPA, it may result in other liabilities, such as breaches of the DP Agreement with the controller.
If data subjects do not receive a response within this period or are unsatisfied with the reasons for the objection, they have the right to submit a complaint to the DPA.
Unlike the EU General Data Protection Regulation (GDPR), the right to data portability is not established under the DP Law or any other regulation in Turkish jurisdiction. However, market practice addresses the right to data portability through specific contractual provisions in cloud agreements (see 4.4 Exit Strategies and Data Migration).
There is no specific regulation regarding personal data retention and deletion policies for cloud systems. However, general principles provided by the DP Law apply.
According to the By-Law on the Deletion, Destruction, or Anonymization of Personal Data, controllers required to register with the Data Controller Registry (VERBIS) must adopt a personal data retention and destruction policy. This policy must include, at a minimum:
It is crucial for controllers to establish clear retention periods and proper measures for data disposal. They must also ensure that their processors (eg, cloud providers) comply with data disposal requests from controllers, including deletion, anonymisation and destruction of data. Additionally, it is advisable to include specific terms for proper data deletion in cloud agreements, covering backups and archived copies. Regular reviews of stored data are also essential to ensure its accuracy.
Thorough due diligence is essential when selecting a cloud provider to enhance data protection in cloud environments and ensure compliance with legal requirements, primarily the DP Law.
Although no formal list is published by the authorities, cloud users should consider the following key matters before selecting a cloud provider:
It is important to emphasise that the key points mentioned above should be considered not only when selecting a cloud provider and negotiating the service agreement but also throughout the entire duration of the service relationship. This is because the controller is responsible for ensuring that processors implement the necessary measures while engaged in data processing on their behalf.
Data Protection Requirements in Cloud Agreements
Cloud agreements typically include data protection clauses that commit the parties to comply with applicable data protection laws, such as the DP Law and other legislation relevant to cross-border transfer, if it occurs.
These provisions are often reinforced by confidentiality clauses and intellectual property provisions that clarify the protection of confidential information, restrictions on disclosure, and the ownership of personal data processed or derived in cloud environments.
In its Guidelines on Data Controllers and Processors (the “Guidelines on Controllers and Processors”) and various resolutions, the DPA explicitly states that processors must conduct their data processing activities on behalf of controllers strictly in accordance with the controller’s instructions.
Therefore, controllers should include the processor’s commitment to comply with their instructions in writing within the cloud agreements, ensuring that they are clear and aligned with the controller’s needs. For instance, relevant technical and administrative measures to be implemented by processors (see 2.1 Data Security and the Cloud) can be detailed in cloud agreements, along with the processor’s commitment to comply with data disposal requests from controllers (see 3.3 Data Retention and Deletion).
Although the DP Law does not directly mandate controllers and processors to conclude DP Agreements, the Guidelines on Controllers and Processors indicate that the DPA expects the parties to establish DP Agreements to clarify their respective duties and responsibilities (see 4.3 Data Processing Agreements and the Cloud).
For this purpose, in market practice, the parties typically adhere to separate DP Agreements, which regulate data processing activities related to the service agreement between them. These agreements generally outline the obligations of controllers and processors by referencing the DP Law and often include penalty and indemnity clauses in cases of non-compliance.
Measures for Ensuring Cloud Providers Comply with Data Privacy Regulations
Administrative fines and criminal penalties generally serve as strong deterrents for ensuring compliance (see 1.3 Penalties for Non-compliance With Data Privacy Regulations).
However, cloud providers are typically classified as processors and are thus exempt from administrative fines, except for failing to notify the DPA within five business days following the execution of standard contractual clauses (SCCs). Therefore, processors’ accountability to the controller is reinforced through DP Agreements, which clearly define the cloud providers’ roles, responsibilities and obligations, with particular emphasis on penalties and indemnity clauses (see 4.3 Data Processing Agreements and the Cloud). These clauses promote accountability among processors and facilitate dispute resolution by outlining procedures for addressing breaches, ultimately safeguarding the interests of both parties and enhancing overall data governance.
Furthermore, controllers must ensure that appropriate technical and administrative measures are implemented by their processors. Therefore, DP Agreements should include clauses granting the controller the right to audit processors’ activities. Regular and unannounced audits are essential to verify that these measures are continuously applied and that processors comply with the DP Law.
Additionally, it is crucial for DP Agreements to include provisions ensuring that processors adhere to the controller’s policies on personal data storage and destruction.
On the other hand, in market practice, the technical measures implemented by cloud providers are often reinforced by supplementary technology services-related agreements, such as IP licences and SLAs. For instance, SLAs often incorporate clauses related to incident management to effectively manage risks and enhance overall service reliability. They establish clear expectations and include provisions for penalties or service credits if performance standards are unmet.
The DP Law does not explicitly mandate a DP Agreement; however, it can be inferred from the DPA guidelines that the DPA expects controllers to enter into a DP Agreement when entrusting data processing activities to a processor (see 4.2 Data Protection in Cloud Service Agreements).
DP Agreements typically include the following key elements:
Although the authority to decide on the purpose and means of data processing activities belongs to controllers, the DPA clarifies in its Guidelines on Controllers and Processors that controllers may grant processors (eg, cloud providers in cloud environments) the authority to make decisions on certain matters. The following matters are listed as examples:
In market practice, the cloud sector is dominated by a few major operators such as AWS, Microsoft Azure and Google Cloud. As a result, cloud users (controllers) often accept DP Agreements or terms and conditions unilaterally drafted by cloud providers. This is largely due to the imbalance in bargaining power and the impracticality of providers signing individual agreements with each user, which often results in a “take it or leave it” approach with little to no room for negotiation.
Termination and Exit Strategies in Cloud Service Agreements
Cloud service agreements are not specifically regulated under Turkish law. Therefore, there are no specific legal requirements for their termination. In such cases, general rules and principles of contract law apply.
One of the key principles established by the Turkish Code of Obligations (TCO) is the freedom of contract, which allows parties to define nearly every aspect of their relationship, including the inclusion or exclusion of specific termination rights, as long as these terms do not conflict with mandatory legal provisions.
In the context of a cloud environment, cloud agreements are typically executed for a definite term and include renewal options at the end of this period. Parties may terminate the agreement by providing notice to the other party within the agreed notice period before the term ends or choose to renew the agreement.
The most commonly used termination clauses are as follows.
Data and Services Migration Between Cloud Providers
While no specific legislation regulates migration requirements, controllers must implement appropriate measures when transferring personal data to ensure compliance and data security (see 2.1 Data Security and the Cloud).
It is crucial for cloud users to conduct comprehensive due diligence before initiating cloud migration, carefully assessing the risks to the confidentiality, integrity and availability of data while also considering applicable legal requirements. Controllers should also conduct a data protection impact assessment (DPIA) if the data are transferred to a third country (see 6.1 Cross-Border Transfer Regulation).
There are different types of cloud migration methods, which are selected based on the situation's needs, used by cloud providers. The most common cloud migration methods are:
It is important to consider any sector-specific requirements when selecting from the aforementioned migration methods and to ensure that data loss prevention measures are implemented during the migration process.
In the market, major cloud platforms like AWS, Microsoft Azure and Google Cloud offer portability solutions, ensuring that services can run on new cloud infrastructures with minimal modifications.
The rules for notifying data breaches under the DP Law also apply when breaches occur in a cloud environment. The obligation to notify the DPA rests solely with the controller, even if the breach originates from the processor (eg, cloud provider).
In practice, cloud providers often detect breaches before cloud users, as they own and manage the cloud systems. As a result, cloud providers are typically obligated to report these breaches promptly to the cloud users, as stipulated in DP Agreements. This obligation may include strict deadlines for notification, such as within 12 hours of the provider becoming aware of the breach. This urgency is crucial, given the limited timeframe for controllers to notify the DPA (see 5.3 Notifying Data Breaches).
Moreover, failure to report breaches in a timely manner is typically addressed by penalty and revocation clauses within these agreements, designed to hold cloud providers accountable. For instance, if a controller incurs an administrative fine due to a delay in notifying the DPA ‒ resulting from the provider’s negligence in reporting the breach ‒ the controller may exercise their right to seek revocation or other remedies as outlined in the contractual agreement.
In the event of a data breach, the following steps are usually followed by cloud providers to mitigate the damage caused and improve the security system as per best market practice:
In contrast to the GDPR, the DP Law requires that all personal data breaches be notified to the DPA, regardless of whether the breach is unlikely to pose a risk to individuals’ rights and freedoms.
While the DP Law does not specify a timeframe for breach notifications, the DPA’s resolutions suggest that controllers must notify the DPA within 72 hours of becoming aware of a breach.
This notification should be made by submitting the online form available on the DPA’s website. The controller must provide the following information, along with relevant annexes serving as proof.
If the controller cannot provide all requested information within the 72-hour period, they are allowed to submit an initial notification with the available details, followed by a follow-up notification as additional information becomes available.
In addition to notifying the DPA, controllers are required to inform data subjects affected by the breach within a reasonable timeframe and without undue delay. If the contact information for the affected data subjects is available, the notification can be sent directly. If not, appropriate methods should be employed, such as publishing the notification on the controller's website.
The communication of the breach from the controller to the data subject should be made in clear and plain language and must include at least the following:
The DP Law does not specify a particular type of administrative fine for failing to notify data breaches. However, according to DPA’s decisions, controllers who fail to notify the DPA and affected data subjects of a data breach are considered to have failed to implement necessary technical and organisational measures (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).
On the other hand, in addition to the personal data breach notification requirements under the DP Law, a few sector-specific regulations also mandate notifying relevant authorities (eg, ICTA, BRSA) in the event of data breaches. Some of these regulations include the following.
Co-ordination With Cloud Service Providers
Under the DP Law, processors are not directly responsible for notifying the DPA or informing affected individuals in the event of a data breach; this responsibility falls on the controller. However, in its Announcement on the Procedures and Principles for Notification of Personal Data Breaches, the DPA states that processors must promptly inform the controller upon becoming aware of any breach, allowing the controller to take appropriate action.
If processors fail to inform the controller of a breach, the controller may still face penalties for failing to notify the DPA, even if the failure is due to the processor’s fault or negligence.
Therefore, it is essential to have a written DP Agreement that clearly defines the responsibilities of both the cloud user and the cloud provider and outlines breach notification procedures. This ensures proper co-ordination between the parties, allowing the cloud user to fulfil its legal notification obligations (see 5.1 Requirements to Report Data Breaches).
International data transfers in the context of cloud computing under Turkish law are primarily governed by the DP Law, which imposes strict rules to ensure that the rights of data subjects are adequately protected when transferring personal data outside of Türkiye.
The mechanisms for transferring personal data abroad were recently amended to align with the GDPR. The new regime provides two primary gradual options for non-occasional data transfers abroad and an alternative solution for occasional data transfers abroad.
The main gradual options for non-occasional transfers are:
Per the DP Law, data transfers abroad can first be conducted based on adequacy decisions. If no adequacy decision exists, such transfer can be carried out by appropriate safeguards. If this is not possible, the solution for occasional transfers can be used for certain situations.
In line with the former regime, adequacy decisions remain a valid legal basis for international data transfers. The DPA is now empowered to issue adequacy decisions not only for countries but also for international organisations (eg, EU, United Nations) and certain sectors (eg, automotive sector, postal sector) within third countries. However, the DPA has not yet announced any adequacy decision.
In the absence of an adequacy decision, data transfers abroad are still possible through the implementation of appropriate safeguards. These safeguards are only applicable if the conditions for processing personal data are met, and data subjects can exercise their rights and access effective legal remedies in the third country where the data will be transferred.
Although not explicitly stated as a requirement for appropriate safeguards under the DP Law, conducting a transfer impact assessment can be regarded as essential for ensuring that data subjects can adequately exercise their rights and access effective legal remedies in the third country of the data importer.
There are primarily four established methods for implementing appropriate safeguards:
If occasional data transfers abroad occur without an adequacy decision, and appropriate safeguards cannot be ensured, the transfer may still be allowed under the following conditions, provided the transfers are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business and one of the following criteria is met:
It is important to emphasise that the regulations outlined in the DP Law concerning the transfer of personal data abroad and to international organisations also apply to onward transfers carried out by both controllers and processors.
Controllers must ensure that their processors implement appropriate technical and administrative measures, particularly when transferring personal data abroad. Due to their international operations, cloud providers often utilise subprocessors located in various third countries, which introduces additional complexities regarding data protection compliance.
Cloud users acting as controllers are obliged to confirm that the cloud providers implement adequate safeguards for any data transfers to these subprocessors outside of Türkiye. If the service provider fails to establish these safeguards, the responsibility may ultimately fall on the cloud user, exposing them to potential fines.
To mitigate these risks, cloud users should ensure that DP Agreements clearly delineate the responsibilities and obligations of both parties. This includes incorporating specific instructions from the controller regarding data handling practices, such as the cloud provider’s responsibility to implement adequate safeguards and robust liability and indemnity clauses.
While there is no general requirement for companies to maintain cloud computing infrastructure or conduct data storage activities exclusively within Türkiye, certain sector-specific regulations do apply (see 1.1 Data Privacy and Cloud Computing).
Banking and Finance Entities
The following entities must keep their primary and secondary information systems in Türkiye:
Electronic Communications Providers
In principle, electronic communications providers cannot transfer traffic data and location data abroad, for national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of data subjects.
Social Network Providers (SNPs)
SNPs whose daily access is more than one million must take necessary measures to retain their Turkish users’ data in Türkiye.
Public Institutions and Organisations
Data from public institutions and organisations must not be stored in cloud services, except within the institutions’ own private systems or with local service providers under their control.
Additionally, critical information (eg, population records, health records, communication data, genetic data and biometric data) must be securely stored within Türkiye. This obligation also applies to entities providing critical infrastructure services.
Commercial Electronic Message Management System Integrators
The information processing system used in integrator services, including software, hardware and server infrastructure, must be located within a database inside Türkiye.
Conflicts of Law in Cross-Border Data Transfers
Unlike the GDPR, the DP Law does not provide clear regulations on territorial scope. As a general rule, the DP Law applies to controllers and processors established in Türkiye.
However, based on the DPA’s decisions, it appears that when data processing activities occur in Türkiye or involve data subjects located in Türkiye, the DP Law is applicable. In an unpublished decision, the DPA emphasised that the territorial scope provisions of the TCrC, which apply to offences committed in Türkiye or deemed to have been committed in Türkiye, meaning the offence is either partially or entirely committed in Türkiye or its effects occur within Türkiye, should serve as the basis for applying administrative fines defined under the DP Law. This implies that the DP Law shall be applicable if the behaviour or the result occurs in Türkiye.
Therefore, DP Law requirements should be considered for processing activities in cloud environments, when applicable. Controllers must be aware that while the DP Law aims to align with the GDPR, compliance with the GDPR does not ensure compliance with the DP Law.
Risks and Challenges Associated with International Data Transfers in the Cloud
International data transfers in the cloud context can pose various risks and challenges under applicable legislation, particularly the DP Law in Turkish law.
Controllers must select appropriate mechanisms for such transfers and implement necessary technical and administrative measures as mandated by DP Law. For instance, it can be inferred from the DP Law that a data transfer impact assessment should be conducted when relying on appropriate safeguards, as different countries may have varying levels of data protection and security standards (see 6.1 Cross-Border Transfer Regulation).
Although controllers must rely on appropriate safeguards for non-occasional transfers, obtaining regulatory approval is quite challenging; since the enactment of the DP Law, only ten controllers have managed to obtain such approval. Additionally, each application for regulatory approval poses the risk of incurring administrative fines if the data transfer abroad occurs before receiving the DPA’s approval (see 6.1 Cross-Border Transfer Regulation).
As a result, recent market practices indicate a tendency to prefer SCCs with an obligation to notify the DPA, rather than seeking regulatory approval through written undertakings or BCRs.
On the other hand, relying on SCCs presents its own set of challenges. In the cloud computing landscape, a handful of major operators dominate the market, complicating the negotiation process for clients seeking to implement SCCs. While some of these providers have begun the process of aligning their contracts with SCC requirements, the sheer volume of clients they serve often results in a one-size-fits-all approach to agreements. This dominance limits the flexibility for individual clients to negotiate terms that may better suit their specific needs.
Another challenge associated with SCCs is the requirement for wet signatures from all parties, along with notarised and, if applicable, apostilled documents that certify the authority of the signatories.
This requirement can create significant logistical hurdles for cloud providers with a large client base, as co-ordinating these processes for numerous clients can be time-consuming and resource-intensive, potentially delaying the establishment of necessary data transfer agreements.
As the regime for data transfer abroad is relatively new, many aspects still require clarification through guidelines and resolutions to be issued by the DPA.
Cloud Audits as Technical Measures
Under DP Law, controllers are obligated to conduct regular audits within their organisations. This requirement also extends to the processing activities conducted by their processors, ensuring that compliance measures are effectively implemented throughout the entire data handling chain. Therefore, cloud computing audits can be regarded as mandatory for implementing appropriate compliance measures, and failure to conduct these audits may lead to administrative fines under the DP Law (see 1.3 Penalties for Non-compliance With Data Privacy Regulations). Additionally, the controller's right to audit is typically incorporated into DP Agreements and reinforced with penalty and liability clauses.
On the other hand, in market practice, certain industry actors are expected to adopt standards such as ISO 27017:2015, which offers guidance on the information security aspects of cloud computing, including specific audit standards and effective security controls tailored to the cloud environment.
Compliance audits can be conducted either by internal IT teams or outsourced to third-party service providers. Sector-specific regulations must also be considered, as some industries, such as banking, are subject to legal requirements when outsourcing third-party services.
Engaging independent auditors is also a common practice that enhances credibility by providing impartial assessments, which is crucial for ensuring the integrity and accuracy of audit reports for compliance. Organisations often utilise standardised frameworks like ISO 27001 to maintain consistency and comprehensiveness in reporting, complemented by internal quality assurance processes that review findings before finalising reports.
Key Matters to be Considered for Cloud Audits
Compliance audits aim to ensure that cloud infrastructure meets laws and regulations while identifying vulnerabilities, inefficiencies, and security gaps. Key focus areas for compliance audits, particularly in cloud computing, include:
Effective management of audit trails and logs is also crucial for maintaining security and compliance. Organisations often implement centralised logging solutions that aggregate logs from various cloud services and applications, facilitating easier monitoring and analysis. Establishing retention policies is also essential (See 3.3 Data Retention and Deletion). Access to logs is controlled through restrictive measures, allowing only authorised personnel to view and manage logs, thereby preventing unauthorised access.
Addressing audit findings requires a systematic approach. Organisations typically develop action plans that outline specific steps to address specific steps, timelines and assigned responsibilities. Follow-up audits may also be conducted to verify that the issues have been appropriately addressed and mitigated.
NidaKule – Goztepe
Merdivenköy Mahallesi Bora
Sokak No 1
Kat:7 34732 Kadıköy
İstanbul
Türkiye
+90 216 468 88 50
+90 216 468 88 01
info@yazicioglulegal.com www.yazicioglulegal.com